CVE-2020-12116
published 2020-05-07CVE-2020-12116: Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the…
PriorityP180high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
97.42%
99.9th percentile
Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_opmanager | <= 12.3 | — |
| zohocorp | manageengine_opmanager | — | — |
| zohocorp | manageengine_opmanager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlGET /cachestart/../../../../bin/.ssh_host_rsa_key
path/cachestart/
path../../../../bin/.ssh_host_rsa_key
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zoho ManageEngine OpManager Directory Traversal Attempt (CVE-2020-12116)"; flow:established,to_server; http.request_line; content:"GET /cachestart/"; startswith; pcre:"/^\d{1,6}/R"; content:"/cacheend/apiclient/fluidicv2/javascript/jquery/"; fast_pattern; within:53; pcre:"/^.{0,10}(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-12116.yaml; reference:cve,2020-12116; classtype:web-application-attack; sid:2056376; rev:2; metadata:affected_product Zoho_ManageEngine, created_at 2024_10_01, cve CVE_2020_12116, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1552, mitre_technique_name Unsecured_Credentials; target:dest_ip;)- →Exploit requests match the pattern GET /cachestart/<digits>/cacheend/apiclient/fluidicv2/javascript/jquery/ followed by directory traversal sequences (../ or URL-encoded variants) to reach arbitrary files.
- →A successful exploitation attempt targeting the SSH host RSA private key will return HTTP 200 with a response body containing 'BEGIN RSA PRIVATE KEY'.
- →The dynamic cache endpoint prefix can be extracted from the server's initial response body via the regex pattern (?m)/cachestart/.*/jquery/ — this value is used to construct the traversal path.
- →Shodan/FOFA/Google dork can be used to identify exposed OpManager Plus instances as potential targets.
- →The attack is unauthenticated and requires no prior session — no authentication headers or cookies are present in the exploit request. ↗
- ·The traversal path prefix (cachestart segment) is dynamic and must be extracted from the target's HTTP response before constructing the exploit URL — a two-step request is required.
- ·Vulnerable versions are Stable build before 124196 and Released build before 125125; patched instances will not be exploitable. ↗
- ·The Snort/ET rule (sid:2056376) requires SSL decryption to be effective against HTTPS-protected OpManager deployments, as indicated by the 'deployment SSLDecrypt' metadata.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Zoho ManageEngine OpManager Directory Traversal Attempt (CVE-2020-12116)
suricata·2024-10-01·CVSS 7.5
CVE-2020-12116 [HIGH] ET WEB_SPECIFIC_APPS Zoho ManageEngine OpManager Directory Traversal Attempt (CVE-2020-12116)
ET WEB_SPECIFIC_APPS Zoho ManageEngine OpManager Directory Traversal Attempt (CVE-2020-12116)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zoho ManageEngine OpManager Directory Traversal Attempt (CVE-2020-12116)"; flow:established,to_server; http.request_line; content:"GET /cachestart/"; startswith; pcre:"/^\d{1,6}/R"; content:"/cacheend/apiclient/fluidicv2/javascript/jquery/"; fast_pattern; within:53; pcre:"/^.{0,10}(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-12116.yaml; reference:cve,2020-12116; classtype:web-application-attack; sid:2056376; rev:2; metadata:affected_product Zoho_ManageEngine, created_at 2024_10_01, cve CVE_2020_12116, deployment Perime
Nuclei
Zoho ManageEngine OpManger - Arbitrary File Read
nuclei·CVSS 7.5
CVE-2020-12116 [HIGH] Zoho ManageEngine OpManger - Arbitrary File Read
Zoho ManageEngine OpManger - Arbitrary File Read
Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a specially crafted request.
Template:
id: CVE-2020-12116
info:
name: Zoho ManageEngine OpManger - Arbitrary File Read
author: dwisiswant0
severity: high
description: Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a specially crafted request.
impact: |
An attacker can read sensitive files on the server, potentially leading to unauthorized access, data leakage, or further exploitation.
remediation: |
Apply the latest security patch or upgrade to a
No writeups or analysis indexed.
https://www.manageengine.com/network-monitoring/help/read-me-complete.htmlhttps://www.manageengine.com/network-monitoring/help/read-me-complete.html#125125https://www.manageengine.com/network-monitoring/help/read-me-complete.htmlhttps://www.manageengine.com/network-monitoring/help/read-me-complete.html#125125
2020-05-07
Published